[PATCHES v1] GPO support for client USER policy (browser proxy)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[PATCHES v1] GPO support for client USER policy (browser proxy)

Samba - samba-technical mailing list
These patches add client user policy support to samba.
This adds a call to winbind to execute the samba_gpupdate
script when a user authenticates via PAM. The samba_gpupdate
script is passed the credentials of the authenticating user,
and group policy is applied for that user account.
This first set of patches adds browser proxy policies. Setting
an Internet Explorer browser proxy gpo will apply the proxy
settings to the respective http_proxy, https_proxy, and
ftp_proxy environment variables for a samba user.

There is a significant problem in the winbind pam patch
that still needs to be addressed, and I'd like some review and
feedback. We must have the user's credentials in
samba_gpoupdate in order to look up their gpo policies,
but what is the best way to pass those credentials from
winbind to a script? These patches simply pass the
credentials via the command line in plain text (bad).
Can we assume this user is kinit'd by pam winbind
(I have no idea here)? If so, we could probably just pass
the krb5 ccache location for creds. Thoughts?

 python/samba/gp_browser_ext.py        | 104 ++++++++++++++++++++++++++
 python/samba/gp_env_var_ext.py        |   1 +
 python/samba/gpclass.py               |  20 ++++-
 selftest/target/Samba4.pm             |   4 +-
 source3/winbindd/winbindd_gpupdate.c  |  35 +++++++++
 source3/winbindd/winbindd_pam_auth.c  |   3 +
 source3/winbindd/winbindd_proto.h     |   1 +
 source4/scripting/bin/samba_gpoupdate |  13 +++-
 source4/torture/gpo/apply.c           | 240
++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 9 files changed, 396 insertions(+), 25 deletions(-)

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


user_policy.mbox.txt (33K) Download Attachment